The SharePoint Hillbilly
To remove duplicate events from splunk, follow these steps – Step 1 – Put all the duplicate events in lookup table. index=* sourcetype=[SourceType] | eval id=_cd.”|”.index.”|”.splunk_server | transaction _raw maxspan=1s keepevicted=true mvlist=t | search eventcount>1 | eval delete_id=mvindex(id, 1, -1) | stats c by delete_id | outputlookup delete_these.csv Step 2 – View the events stored […]
To remove all events from host, we need to actually clean the index that is applied on that host. To clean the corresponding index, run this cli command – Open command prompt and navigate to %SPLUNKinstallationdirectory%/bin. splunk stop splunk clean eventdata -index [indexname] –f splunk start Example – To clean index named ‘default’ Splunk stop splunk clean eventdata […]
This post is basically a walkthrough about how to setup Splunk forwarder and configure it to monitor csv files. It was reasonably difficult for me to collect proper information on this topic as splunk documentation is not very extensive in terms of how it can be configured with different data sources that it supports. I […]